but I don't mean with respect to privacy. But I do mean with respect to the time it takes securing a system based on its usability. Here's a quote:

"What many fail to grasp is that security is a zero-sum game: the easier it is to use something, the more time and efffort must go into securing it." - Hacking Exposed Windows Third Edition

I couldn't agree more. The reason I bring this up is I've seen and heard of colleagues who have a system that the business wants to keep wide open, but the business also wants it as secure as possible. No problem, but it's going to take time. The problem is often that the business has a false expectation of how much time it should take. This corollary basically points out that if the system is wide open, expect that it's going to take time for the technicians to lock down the system. Actually it's going to take a while to figure out how to go about securing a system without affecting usability in a noticeable way. And it's usually not as simple as dropping everything into one group's lap and it's done.

When it comes to SQL Server, this all holds true, too. So if you want everyone in the organization to query the data warehouse and you are worried about ensuring they don't walk away with your critical data, it's not so simple to try and dump this on the DBAs. And it's not going to be something that the right personnel are going to be able to secure overnight. Some things they are up against in this usability scenario:

Data exports into local databases or Excel files (which are emailed off, taken offsite on a laptop, or copied to a USB drive).

Copy/Paste to a text file which is treated in a similar manner above.

Screen shots directed to the printer.

From what I've just described, none of those exploits are really within the domain of the DBA. You've got workstation admins, network security personnel, etc. involved now. And you've got multiple layers of defenses that are going to have to be planned, test deployed, debugged, and then rolled out to try and prevent these and other methods of walking off-site with that sensitive data. Because now they have to walk that line between usability and time to secure. You don't mind them impacting usability? Fine, they can lock things down quick. But you want to make sure business users aren't negatively impacted, or if they are, only minimally so? You're now talking about a lot more complexity, a lot more planning, and a lot more scenarios that need to be evaluated. And that all takes time. And sometimes lots of it.

Comments

Posted by Jack Corbett on 11 August 2009

Definitely couldn't agree more. How do you stop a user from downloading to Excel, especially if you use SSRS? How about just saving a web page to a USB key? We've had many discussions where I am about how to secure laptops, usb keys, and data. We haven't come up with an ideal solution yet.

Posted by SQLRockstar on 11 August 2009

nicely put. most shops i know of have a shared responsibility when it comes to security, as opposed to having a dedicated security team. the end result is a lot of confusion and frustration, often at the worst possible times.

Posted by K. Brian Kelley on 11 August 2009

Jack,

1) You try to do egress filtering to block upload of certain MIME types using a web filtering product.

2) You have strict policies in place with respect to USB keys and you employ technology solutions to control them.

3) Laptops you secure with full disk encryption and this prevents the theft risk. Some web filtering products allow you to set up filtering servers in the DMZ which you can set up an agent on the laptop where it's forced to point back to said filtering server.

But what do you do about screenshots directed to the printer? There's always a weakness.

Posted by Steve Jones on 12 August 2009

Or a digital camera. Intel had this issue with high security systems for their designs years ago. An engineer would work at home, and while he couldn't digitally copy the designs, he took pictures of his monitor and sold those to a competitor.